On 21/12/12 15:32, Chris Green wrote:
This is the relevant entry in the apache2 access.log:-
178.63.53.21 - - [21/Dec/2012:11:36:46 +0000] "POST /svox/wp-login.php HTTP/1.1" 200 1912 "http://zbmc.eu/svox/wp-login.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"There are in fact *lots* of near identical entries with the only difference being that they're from different IP addresses, so I don't quite understand why only one IP is reported by logwatch.
I don't know why that would happen either, unless that address tried twice perhaps?
I suspect that they're attempts to hack the WordPress site at that URL, they don't seem to have succeeded, I can't see any corrupt pages. Anyway the site is a development one rather than a published one.
Silly question - does it need to be accessible to the outside world if it's a development website? If not, perhaps hide it behind a firewall until it's ready?
I guess it *could* be a buffer overflow exploit, I'll have to check that out.
Yes, and check you webserver is up-to-date with all the software updates, inc Wordpress and Apache ones, and you research all the things you can do to "Harden" Wordpress and Apache.
Presumably you've got it all firewalled too and you've tried something like Shieldsup at grc.com to check that there are no unexpectedly open ports?
HTH Steve